Introduction to Safety

2007 2008

Introduction to Safety

1- Design in safety. The European standards structure.

In order to be freely marketed in the countries of the European Community every product or machinery must comply with Directives 2006/95/CE (low voltage directive) and 2006/42/CE (machinery directive) and subsequent modifications and completions; these directives determine the fundamental requirements that devices or machinery should guarantee to reach an adequate safety level for operators. The conformity is certified by the issue of the Conformity Declaration by the manufacturer and by the application of the marking CE on the machine itself. For the assessment of the machine risks and realization of safety systems to protect the operator from those risks, the European regulation organizations CEN and CENELEC have issued a series of standards which translate into technical requirements the contents of directives. The safety standards are divided into three groups: A, B and C. Type A standards: contain the basic concepts and the general design guidelines for the realization of all machines. Type B standards: deal particularly with one or more aspects concerning the safety and they are also divided into: Type B1 standards: concern some safety aspects (for example safety distances, temperatures, noise, etc.) Type B2 standards: concern safety devices (for example bimanual controls, devices for guards interlocking, etc.) Type C standards: deal in detail with safety requirements for specific groups of machines (e.g. hydraulic presses, injection machinery,). The manufacturer of devices or machineries must first verify if the product is covered by a type C standard. If so, the standard will give the safety requirements, otherwise type B standards for any specific aspect or device of the product will be applied. Failing further requirements, the manufacturer will follow general guidelines stated in type A standards.
TYPE A STANDARDS EN 12100-1 and -2 (replace EN 292-1 and EN 292-2). Basic concepts, general design guidelines EN 61508-1..-7 Functional safety of safety-related . electrical, electronic and programmable electronic systems. EN 1050:1996. Principles or risk assessment. (It will be probably replaced by ISO 14121)

TYPE B1 STANDARDS EN 62061:2005. Functional safety of safety-related electrical, electronic and programmable electronic control systems EN 13849-1:2006 e -2:2003 (replace EN 954-1). Safetyrelated parts of control systems TYPE B2 STANDARDS EN 574:1996. Two-hand control devices EN 13850:2006 (replace EN 418:1992). Emergency stop EN 1088:1995. Interlocking devices associated with guards EN 60204-1:2006. Electrical equipment of machinery EN 60947-5-1:2004. Electromechanical control devices

TYPE C STANDARDS EN 201:1997 Machinery for rubber and plastic material . - Injection machines EN 415-1..-7:2000. Safety of wrapping machines EN 692:2005. Mechanical presses EN 693:2001. Hydraulic presses EN 848-1:2007 Safety of wood-working machines miller . on one single side with rotating tool single-shaft vertical miller (router)

2- Short introduction to the new machinery safety standard

After a long evolution and discussion inside different international standardization bodies, some new standards(1) have been issued and definitively come into force in the sector of machine safety; these standards will gradually replace the current ones and re-define many basic concepts to which the market was used. The approach given by new standards is a probabilistic type and their formulation, briefly, extend deterministic concepts introduced with the EN 954-1 through new statistic variables indicated by terms as PL, MTTFd, SIL and others that, a few at a time, we have to get used. Nowadays (2007) the course outlined by new standards presents obstacles because they are based on some assumptions that are not realized in electromechanical sector. For example these standards require the availability of statistic data to manufacturers, but without defining methodologies for the calculation of these values and consequently creating an uncertain situation, so that every manufacturer could manage the situation his own way. As these statistic data indicate the quality of products with a quantitative value its plain that, without any clear and common definition, we could have more or less flexible interpretations from manufacturers, with the risk of a lot of confusion not desirable in the safety sector. Furthermore new standards are not very easy to treat and a possible overlapping between the EN 13849 and the EN 62061 complicates further the situation. But the path has been outlined and we wish that in future all problems will be solved with the common aim of improve the machines safety.

(1) EN 954-1:1996 Machinery safety safety related parts of control systems: part 1: General design guidelines In the text, this standard will be indicated as EN 954-1, if not otherwise specified EN 61508-1:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 1: General requirements EN 61508-2:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 2: Requirements for electrical/electronic/programmable electronic safetyrelated system EN 61508-3:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 3: Software requirements EN 61508-4:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 4: Definitions and abbreviations EN 61508-5:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 5: Examples of method for the determination of safety integrity levels EN 61508-6:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 EN 61508-7:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 7: Overview of techniques and measures In the text, these standards will be indicated as EN 61508, if not otherwise specified EN 62061:2005. Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems In the text, this standard will be indicated as EN 62061, if not otherwise specified EN 13849-1:2006. Safety of machinery Safety-related parts of control systems: Part 1: General design guidelines. (Note: ISO 13849-1:1999 is identical to EN 954-1:1996) EN 13849-2:2003. Safety of machinery Safety-related parts of control systems: Part 2: Validation. In the text, these standards will be indicated as EN 13849, if not otherwise specified

page 6/21

General Catalog 2007-2008

Introduction to Safety

3- Current normative situation (2007)

Actually four very important standards are in force for the machines safety. EN 954-1:1996. Its a type B1 standard, which has introduced safety categories concepts. It covers applications for the machines safety and foreseen but doesnt deal safety devices with electronic components. EN 61508:2002. Its a type A standard, which has introduced guidelines and calculation methods to evaluate and classify the safety level of machinery or devices containing electrical, electronic or programmable electronic components. This standard introduce also the concept of SIL (Safety Integrity Level). EN 62061:2005. Its a type B1 standard which came from the EN 61508 and reports same concepts and terminology applying them to the machine safety sector. Also this standard use the concept of SIL. Important note. EN 13849:2006. Its a type B1 standard which someway links the EN 954-1 and the EN 62061, creating references to both standards and introducing the concept of PL The EN 13849 is a type B1 standard, therefore if a (Performance Level). In detail, this standard covers electromechanical, hydraulic, not machinery is already classified by a type C standard complex electronic devices and some programmable electronic devices with predefined is this last one to prevail. All type C standards structures. In this standard it is indicated a correlation between SIL and PL, are used previously developed are based on concepts of concepts borrowed by EN 61508 (as DC and CCF) and is established a reference with the EN 954-1. For manufacturers of machineries safety categories of EN 954-1. Practically, this standard try to help the manufacturer, covered by a type C standard, the introduction already used with EN 954-1 concepts, to slide softly into new statistic concepts. time of new standards could be different according The EN 954-1:1996 will be in force up to November 2009, when it will be substituted by EN 13849-1:2006. This last standard is already in force, so during the intermediate stage it will be possible to use both of them. Therefore, nowadays its possible to classify machines according to both standards.
to the updating speed of the various technical commissions. It would be possible that a machine could maintain the old classification as from EN 954-1 even after this one is expired.

4-Normative evolution: reason of changes, new standards and some overlapping

The current EN 954-1 have had the great merit of giving evidence and classifying in organic way what a good engineer already knew. This standard, with the introduction of safety categories and risk analysis methods, has helped to identify different machinery risk degrees, has introduced a common analysis methodology among products of different sectors, and has proposed solutions (redundancy, self-check) for most dangerous applications. On the other hand it doesnt deal with programmable electronic devices, it doesnt analyze cases where more machines are interconnected and, even if it introduces the concept of periodical surveillance, it gives few instructions about how this one have to be made. The standard EN 61508 was issued initially to define the electronic devices safety, particularly the complex programmable electronic devices, so covering the lack left by the EN 954-1. But during its developing at the IEC, this standard has gradually widened its application field becoming a very complex standard (its 800 pages volume, divided in 7 parts) and suitable for different application fields (process industry, industrial machinery, nuclear plants), so that has achieved the status of type A standard. Theoretically the EN 62061, derived from the EN 61508 for industrial machinery, should had covered only the complex or programmable electronic but owing to the widened approach of its ancestor, it has finally included all electrical, electronic and programmable electronic circuits. The approach of these two standards is fundamentally of probabilistic type and there are introduced new statistic variables which require a deep analysis (mathematic also) of machinery, analysis that could require much time and not of simple application. In the meantime was at developing stage the revision of the EN 954-1, carried by the CEN under the aegis of ISO, with the standard project which then has become the EN 13849. The references between two standards means that commissions have talked to each other, but finally they prefer to create an overlapping of application fields so that also the final version of the EN 13849 covers electronic and programmable electronic systems, even if only for some predefined structures and for not maximum safety levels. The application ambit is clearly stated in the EN 13849-1 (see table 1) and, as you can see, for wide product typologies both standards could be applied. Table 1 Recommended application of IEC 62061 and ISO 13849-1 Technology implementing the safety-related control function(s) A Non-electrical, e.g. hydraulics Electromechanical, e.g. relays, and/or non B complex electronics C Complex electronics, e.g. programmable D A combined with B E C combined with B F C combined with A, or C combined with A and B X Restricted to designated architecturesa and up to PL = e Restricted to designated architecturesa and up to PL = d Restricted to designated architecturesa and up to PL = e Restricted to designated architectures (see Note 1) and up to PL = d Xb ISO 13849-1 IEC 62061 Not covered All architectures and up to SIL 3 All architectures and up to SIL 3 Xc All architectures and up to SIL 3 Xc

X indicates that this item is dealt with by the International Standard shown in the column heading. a. Designated architectures are defined in 6.2 (EN 13849-1) in order to give a simplified approach for quantification of performance level. b. For complex electronics: use designated architectures according to this part of ISO 13849 up to PL = d or any architecture according to IEC 62061. c. For non-electrical technology, use parts in accordance with this part of ISO 13849 as subsystems. Taken from table 1 of EN 13849-1:2006

The choice of the standard to use is up to the manufacturer and to the market, even if we believe that the EN 13849, with its mediate approach and reutilization of the EN 954-1 concepts (supplemented with some others introduced by the EN 61508), is a standard easier to understand for small and medium machinery manufacturers.
General Catalog 2007-2008

page 6/22

Introduction to Safety

5.0 - Risk analysis and assessment through EN 954-1 and EN 1050

These two standards define how to analyze (EN 1050) and consequently evaluate potential risks of a machine and give a methodology to reduce those risks through the adoption of suitable safety circuits (EN 954-1). The process is iterative, that is once a possible solution for risk reduction has been identified, this solution must be validated. On the contrary, the risk analysis must be repeated.

5.1 - Procedure for the choice and the design of safety measures
The following 5 steps are quoted from the standard EN 954-1 par. 4.3 for the correct choice and design of safety measures. Step 1 Danger analysis and risks computation on the machine. Step 2 Arrangement of measures for the risk reduction by means of control devices. Step 3 Specification of the safety requirements in terms of: - selection of the safety category, - realization of the safety functions Step 4 Design and check of the relevant parts for the safety of a control system. Step 5 Validation of the functions and of the achieved categories by their comparison with what previously defined in step 3.

5.2 - Risk assessment and safety categories

Some information regarding the choice of the proper safety category suitable for the machine in evaluation is quoted below.

Safety categories

Risk table in accordance with the standard EN 954-1/enclosure B

B S1 I P1

Starting point

F1 P2 S2 P1 F2 P2

II III IV V

Legend: S F P I-V B, 1-4 Starting point for risk assessment Accident severity: S1 = reversible (slight) injury (i.e. small cuts, burns, light abrasions, etc..) S2 = irreversible (serious) injury or death (i.e. permanent disability, loss of limbs, breath harms, etc..) Presence in the dangerous zone: F1 = from rare to quite frequent (i.e. weekly or more, to once a day) F2 = from often to continuous (i.e. from many times a day to continuous) Chance to avoid the accident or to reduce its effect significantly: P1 = possible under certain conditions (i.e. possibility of the worker to realize the imminent danger) P2 = almost impossible (i.e. impossibility of the worker to realize the imminent danger) Estimated risk level Safety categories of control systems Preferential category foreseen for this risk level Choice of a higher category Choice of a lower category

It is possible to use different categories than the preferential ones (big circle ), but the foreseen behaviour of the system in case of faults must be taken into consideration. Also, the reasons for the derogation must be indicated by the machine manufacturer. When categories indicated by a small circle ( ) are chosen, some additional measures can be required, as for example: - over-sizing or use of techniques for the fault elimination; - use of a dynamic monitoring.

page 6/23

General Catalog 2007-2008

Introduction to Safety

5.3 - Table of requirements for each category according to the standard EN 954-1 par. 6.2
Safety category List of the requirements Behaviour of the system Safety principles

Relevant parts for the safety in control systems and/or their protection devices as well as their components have to be designed, manufactured, chosen and combined in compliance with the pertaining standards, in order to resist to the foreseen influence.

An occurring error may cause the loss of the safety function. Mainly marked by the choice of the components An occurring error may cause the loss of the safety function, but the probability of error occurrence is lower than in category B.

The requirements of category B are applied. Well-tested components and safety principles must be used.

The requirements of category B and the use of well-tested safety principles are applied. The safety function has to be checked by the control system from time to time or at least on every machine start and before any dangerous situation. The requirements of category B and the use of well-tested safety principles are applied. Relevant parts for the safety have to be designed so that: - one single error in one of these parts doesnt cause the loss of the safety function. - Where reasonably practicable, the single error is detected. The requirements of category B and the use of well-tested safety principles are applied. Relevant parts for the safety have to be designed so that: - one single error in one of these parts doesnt cause the loss of the safety function. - the single error is detected in the moment or before the request of the next safety function. If this is not possible, then the accumulation of errors must not cause the loss of the safety function.

An occurring error may cause the loss of the safety function among the controls. The loss of the safety function is detected by the control.

When one single error occurs, the safety function is always performed. Not all the errors are detected. The accumulation of undetected errors may cause the loss of the safety function.

Mainly marked by the structure

When errors occur, the safety function is always performed. Errors are detected in time in order to avoid the loss of the safety function.

General Catalog 2007-2008

page 6/24

Introduction to Safety

6.0 - Risk analysis and assessment through EN 13849 and ISO 14121
Also in the case of the EN 13849 and ISO 14121 (mentioned in the EN 13849 but still today not in force) the process for risk analysis, assessment and reduction is iterative and structurally similar to the couple of standards EN 954-1 and 1050 case. The following figure shows the iterative evaluation process as stated on the EN 13849-1.

START

Determination of the limits of the machine (see 5.2a) Hazard identification (see clause 4a and 5.3a) Risk estimation (see 5.3a) Risk evaluation (see 5.3a)

Risk assessment carried out in accordance with lSO 14121 Yes Refers to ISO 12100-1:2003 Refers to ISO 13849-1:2006 c ISO 13849-2 provides additional help for the validation
a b

This iterative risk reduction process shall be carried out separately for each hazard under each condition of use (task)

No Yes

Are other hazards generated? Verification of safety-related control systems according to ISO 13849-1

Has the risk been adequately reduced? No

END

Risk reduction process for the hazard: 1) by intrinsic design, 2) by safeguards, 3) by information for use (see lSO 12100-1: 2003, Figure 4)

ldentify the safety functions to be performed by SRP/CSs For each safety function specify the required characteristics (see Clause 5b ) Determined the required performance level PLr (see 4.3b and Annex Ab) Design and technical realisation of the safety function: ldentify the safety-related parts which carry out the safety function (see 4.4b) Evaluate the perfomance level PL (see 4.5b) considering: - category (see Clause 6b} - MTTFd (see Annex Cb and Db) - DC (see Annex Eb) - CCF (see Annex Fb) - if existing: software (see 4.6b and Annex Jb)of the above safety-related parts Verification of PL for the safety function: is PL PLr (see 4.7b) Yes Validation (see Clause 8bc) Are all requirements met? Yes Yes Have all safety functions been analysed? No No

Does the protective measure selected depend on a control system?

Yes

For each selected safety function

No

No

Note: this figure has been obtained by the combination of figures 1 and 3 of EN 13849-1:2006.

page 6/25

General Catalog 2007-2008

Introduction to Safety

6.1- New and old concepts: Safety categories, PL, MTTF, DC

As for the EN 954-1, also the EN 13849 use a graph for the risk analysis of a machine function (see figure), but determining, instead of a safety category, a required performance level (PLr) for the safety function that will protect that machines part. The manufacturer will have to make a system to protect the operator with a performance level PL (calculated) equal or higher to that required. Risk graph for determining required PLr for safety function (taken by EN 13849-1, figure A.1)

Key starting point for evaluation of safety functions contribution to risk reduction L low contribution to risk reduction H high contribution to risk reduction PLr required performance level 1

Risk parameters S S1 S2 F F1 F2 P P1 P2 severity of injury slight (normally reversible injury) serious (normally irreversible injury or death) frequency and/or exposure to hazard seldom-to-less-often and/or exposure time is short frequent-to-continuous and/or exposure time is long possibility of avoiding hazard or limiting harm possible under specific conditions scarcely possible

PL are classified in 5 levels, from PLa to PLe on risk increasing, and each one of them identifies a numerical range of average probability of dangerous failure per hour. For example, PLd indicates that the average probability of a dangerous failure per hour is included between 1 x 10-6 and 1 x 10-7 that is about 1 dangerous failure every 100-1000 years. PL a b c d e PL average probability of a dangerous failure per hour (1/h) 10-5 3 x 10 10 10
-6 -6

and < 10-4 and <10-5 and < 3 x10-6 and < 10-6 and <10-7

PL=
Y OR EG 1) T CA 4 RY N 95 FE E SA rom (f

10-7
-8

There is no direct correlation between PL and Safety Categories of EN 954-1. The EN 13849 reuses concepts of safety categories as aggregation of system topology (with single channel, redundant, etc using the term Designated Architectures) and of system resistance to failure, supplementing them with the calculation of further new numerical parameters as:

General Catalog 2007-2008

page 6/26

Introduction to Safety

MTTFd (Mean Time To Dangerous Failure) This parameter is likely a quality statement of the system representing the expected average working time without dangerous failure (not generic failure) expressed in years. Practically, the calculation of the MTTFd is based on numerical values supplied by manufacturers of single components of the system. In case of data absence, the standard provides values in suitable reference tables. The calculation will bring to a numerical value included in three categories: high, medium or low. CCF (Common Cause Failures) Only in case of category 2, 3 or 4 systems for the calculation of MTTFd is necessary also the evaluation of possible common cause failures or CCF that could invalidate the systems redundancy. DC (Diagnostic Coverage) This parameter tries to indicate how much the system is able to self-control its own possible failure. According to the percentage of dangerous failures detectable by the system, thanks to its structure, the diagnostic coverage will be different. Also in this case, the parameter DC is divided into categories, in detail: high, medium, low and none. None diagnostic coverage is admitted only for systems with category B or 1. Through these three parameters Category, MTTFd and DC, the standard supplies a table (see figure or annex K of EN 13849-1) that allows seeing which PL level is possible to achieve. Relationship between categories DCavg, MTTFd of each channel and PL (taken from EN 13849-1, figure 5)

PL 1 2 3

performance level MTTFd of each channel = low MTTFd of each channel = medium MTTFd of each channel = high

The manufacturer who want to verify machines safety, have to follow the iterative approach provided by standards. In particular, after the first stage of risk assessment (according to EN 1050 or ISO 14121), if the protection is supplied by a control system, will follow an iterative stage to verify that the system itself is able to supply the protection level required. This second phase will start determining the required performance level PLr to supply the necessary protection degree according to found risks. During this phase, it will be used the graphic afore seen. Then a protection system will be assumed, identifying the safety category (according to the Architecture and failure resistance) and calculating the MTTFd and verifying DC and CCF as well. With these values, it will possible to calculate the PL of own system and, if this one will result higher or equal to PLr the system will be considered suitable. At this point, a validation system stage (according to EN 13849-2) will follow and if also this verification will be positive, the risk at issue could be defined sufficiently limited.

page 6/27

General Catalog 2007-2008

Introduction to Safety

7- What will change in the risk analysis: two important variations

In the shift from old to new standards group, main news are the probabilistic approach and the introduction of all new parameters pointed out in previous paragraphs. It is clear that, in order to comply with new standards, to all sector operators will be required a higher skill and training level. There are also two important differences introduced by new standards concerning the risk analysis and assessment as regards what has been done so far: 1) The risk of slight accident (not permanent wounds) doesnt carry anymore to a necessarily low safety level (category B or 1) as in the EN 954-1. Now a frequent and difficult to avoid slight accident risk it is considered equal to an infrequent and avoidable permanent accident risk (level PLr=c).
Safety categories

B S1 I P1 F1 P2 S2 P1 F2 P2

Start

II III IV V

Start

according to EN 954-1

according to EN 13849-1:2006

2) Whereas in the EN 954-1 standard a system of a certain category had to have a specific structure, in the new standard to obtain intermediate performance level many path are possible. For instance to obtain a system having a PL equal to c level all the following solutions are correct: 1. A Category 3 system with little affordable components (MTTFd=low) and medium DC. 2. A Category 3 system with affordable components (MTTFd=medium) and low DC. 3. A Category 2 system with affordable components (MTTFd=medium) and medium DC. 4. A Category 2 system with highly affordable components (MTTFd=high) and low DC. 5. A Category 1 system with highly affordable components (MTTFd=high). Simplified procedure for evaluating PL achieved by SRP/CS (derived from EN 13849-1, figure 7) Category DCavg MTTFd of each channel low medium high a b not covered not covered not covered c a b c b c d b c d c d d not covered not covered e B none 1 none 2 low 2 medium 3 low 3 medium 4 high

The machine manufacturer has to consider which combination is the best for his machine for the ratio performance/price.

General Catalog 2007-2008

page 6/28

Introduction to Safety

5 - Examples of connections according to the standard EN 954-1 (min. requirements)

Emergency stop push button and rope safety switches for emergency stop installation.
Safety category

Wiring diagram

Circuit structure

E-stop1 CC 01AAB00AB

E-stop2 CC 01AAB00AB

E-stop3 CC 01AAB00AB

L/+

KM1

Stop E-stop1 E-stop2 KM1

B-1

E-stop1 FD 1878

E-stop2 FD 1878

E-stop3 FD 1878 KM1

E-stop3 Start

M
KM1

N/-

L/+

E-stop1 CC 01AAB00AB

E-stop2 CC 01AAB00AB

E-stop3 CC 01AAB00AB

Stop E-stop1 E-stop2 E-stop3 A1 CS AR-40..... 13

CS AR-40....

E-stop1

E-stop2 FD 1878

E-stop3 FD 1878 CS AR-40....

2
N/-

A2 Start

S33

S34

14 KM1

FD 1878

KM1

M
If an external contactor (KM1) is used to increase the load capacity of the contacts, this contactor should have forced guided contacts.

page 6/29

General Catalog 2007-2008

Introduction to Safety

Emergency stop push button and rope safety switches for emergency stop installation.
Safety category
L/+

Wiring diagram

Circuit structure

E-stop1
Stop E-stop1 E-stop2 E-stop3 A1 CS AR-20..... A2 S33 S34 14 KM1 Start N/KM1 24 13 23

E-stop2 CC 01AAB00AC

E-stop3 CC 01AAB00AC

CC 01AAB00AC

CS AR-20....

E-stop1 FD 978

E-stop2 FD 978

E-stop3 FD 978 CS AR-20....

KM2 KM1

M
If external contactors (KM1-KM2) are used to increase the load capacity of the contacts, these contactors should have forced guided contacts.

L/+

N/-

E-stop1 CC 01AAB00AC
E-stop1

CS AR-01....
A1 S35 S22 S21 S12 S11 S31 13 23

CS AR-01..... A2 S33 S34 KM1 Start KM2 KM2 KM1 14 24

E-stopn CC 01AAB00AC

CS AR-01....

E-stop

E-stop1
A1 S35 S22 S21 S12 S11 S31 13 23

CS AR-01..... A2 S33 S34 14 KM1 Start KM2 24

FD 978 CS AR-01.... E-stopn FD 978 CS AR-01....

If external contactors (KM1-KM2) are used to increase the load capacity of the contacts, these contactors should have forced guided contacts. Attention: the examples mentioned above are purely descriptive and give only an indication about how to set up a safety circuit according to the categories foreseen by standard EN 954-1. It is the manufacturers responsibility to control that correct circuits are applied on each specific machine.

General Catalog 2007-2008

page 6/30

Introduction to Safety

5 - Examples of connections according to the standard EN 954-1 (min. requirements)

Applications with safety switches for gate monitoring.
Safety category

Wiring diagram

Circuit structure

L/+

SS3 FX 693

Stop SS1 SS2 KM1

B-1
Start

SS3

SS2 FX 693

M
KM1

N/-

SS1 FX 693

KM1

L/+

Stop SS1 SS2 SS3 A1 CS AR-40..... 13

SS3 FX 693

2
N/-

A2 Start

S33

S34

14 KM1

SS2 FX 693

KM1

SS1 FX 693

M
If an external contactor (KM1) is used to increase the load capacity of the contacts, this contactor should have forced guided contacts.

CS AR40....

page 6/31

General Catalog 2007-2008

Introduction to Safety

Applications with safety switches for gate monitoring.

Safety category
L/+

Wiring diagram

Circuit structure

Stop SS1 SS2 SS3 A1 CS AR-20..... A2 S33 S34 14 KM1 24 13 23

SS3 FX 993

SS2 FX 993

3
N/-

Start

KM1

KM2 KM1

SS1 FX 993

CS AR-20....

M
If external contactors (KM1-KM2) are used to increase the load capacity of the Attention: the utilisation of only one switch for each guard requires that in the risk contacts, these contactors should have forced guided contacts. analysis the mechanical breaking of the same can be excluded.

L/+

N/-

SS2

SS1

SS2 FR 1896

A1

S35 S22 S21 S12 S11 S31 13

23

CS AR01....

SS1 FR 693

CS AR-01..... A2 S33 S34 KM1 Start KM2 KM2 KM1 14 24

SS4 FR 1896

SSm

SSn

CS AR01....

SS3 FR 693

A1

S35 S22 S21 S12 S11 S31 13

23

CS AR-01..... A2 S33 S34 14 KM1 Start KM2 24

M
CS AR01.... SSm FR 693

SSn FR 1896

If external contactors (KM1-KM2) are used to increase the load capacity of the contacts, these contactors should have forced guided contacts. Attention: the examples mentioned above are purely descriptive and give only an indication about how to set up a safety circuit according to the categories foreseen by standard EN 954-1. It is the manufacturers responsibility to control that correct circuits are applied on each specific machine.

General Catalog 2007-2008

page 6/32

Introduction to Safety

6 - Positive opening, redundancy, diversification and self-control

Positive manner and negative manner. According to the standard EN 292-2 point 3.5, if a mechanical component in motion, directly drives another component, through physical contact or a rigid mechanical linkage, that connection is said to be in a positive manner. Instead, if the movement of a mechanical component simply allows another element to move freely, without using direct force (for example by gravity force, spring effect, etc.) their connection is in a negative manner.

Positive manner

Negative manner

Machine working Door closed

Machine stopped Door open

Machine working Door closed

Machine stopped Door open

Dangerous failures: The machine keeps working.

Dangerous failures: The machine keeps working.

Worn out roller

Misaligned roller

Welded contacts

Broken spring

The positive manner avoids, with a preventive maintenance, the dangerous failures indicated above. On the contrary, the negative manner failures occur inside the switch and are therefore difficult to be detected. With the positive manner, internal failures (welded contacts or broken springs) allow the opening of the contacts and therefore the stop of the machine.

Broken spring

Machine stopped

Welded contacts

Machine stopped

page 6/33

General Catalog 2007-2008

Introduction to Safety

Use of switches in safety applications When a single switch is used in a safety function, it must be actuated in a positive manner. The opening contact (normally closed), must be with positive opening in order to be used for safety applications. All switches with the symbol , are provided with NC contacts with positive opening.

Rigid non-flexible connection between the moving contacts and the actuator, where the actuating force is applied.

If the switches are two or more, it is suggested that they should operate in opposite manners, for example: - One with a normally closed contact (opening contact) actuated by the guard in a positive manner. - The other with a normally open contact (closing contact), actuated by the guard in a non positive manner. This is a common practice, however, it does not exclude, if justified, the use of two switches actuated in a positive manner (see diversification).

Diversification Safety in the redundant system is increased by diversification. It is obtained by the application of two limit switches with different project and/or technology, in order to avoid failures caused by the same reasons. Some examples of diversification are: the use of a switch working in positive manner together with one working in non-positive manner; a switch with mechanical actuation and one with non mechanical actuation ( e.g. electronic sensor); two switches with mechanical actuator working in positive manner but with different actuation principles ( e.g. one actuator operated FR 693 and one hinge operated FR 1896 switch).

Redundancy Redundancy is the use of more than one device or system in order to guarantee that, in case of a function failure in one of them, another one is available to perform the safety functions. If the first failure is not detected, an eventual second failure may cause the loss of the safety functions.

Self-monitoring Self-monitoring consists in the automatic checking of the right function of every device running in the machine working-cycle. Consequently, the next working-cycle can be either accepted or rejected.

Redundancy and self-monitoring The combination of both systems, redundancy and self-monitoring, allows that a first failure in the safety circuit does not cause the loss of safety functions. This first failure will be detected at the next re-start or anyhow before a second failure, which may cause the loss of the safety functions.

General Catalog 2007-2008

page 6/34